Home Explore Help
Register Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 6b98d77d57
Branches Tags
elasticsearch
/
docs
/
reference
/
security
/
authentication
/
remote-clusters-privileges-api-key.asciidoc

remote-clusters-privileges-api-key.asciidoc 3.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108 
  1. [[remote-clusters-privileges-api-key]]
    2. 

  2. === Configure roles and users
    3. 

  3. 

  4. To use a remote cluster for {ccr} or {ccs}, you need to create user roles with
    5. 

  5. <<roles-remote-indices-priv,remote indices privileges>> or
    6. 

  6. <<roles-remote-cluster-priv, remote cluster privileges>> on the local cluster.
    7. 

  7. 

  8. You can manage users and roles from Stack Management in {kib} by selecting
    9. 

  9. *Security > Roles* from the side navigation. You can also use the
    10. 

  10. <<security-role-apis,role management APIs>> to add, update, remove, and retrieve
    11. 

  11. roles dynamically.
    12. 

  12. 

  13. The following examples use the <<security-api-put-role>> API. You must have at
    14. 

  14. least the `manage_security` cluster privilege to use this API.
    15. 

  15. 

  16. NOTE: The cross-cluster API key used by the local cluster to connect the remote
    17. 

  17. cluster must have sufficient privileges to cover all remote indices privileges
    18. 

  18. required by individual users.
    19. 

  19. 

  20. ==== Configure privileges for {ccr}
    21. 

  21. 

  22. Assuming the remote cluster is connected under the name of `my_remote_cluster`,
    23. 

  23. the following request creates a role called `remote-replication` on the local
    24. 

  24. cluster that allows replicating the remote `leader-index` index:
    25. 

  25. 

  26. [source,console]
    27. 

  27. ----
    28. 

  28. POST /_security/role/remote-replication
    29. 

  29. {
    30. 

  30.   "cluster": [
    31. 

  31.     "manage_ccr"
    32. 

  32.   ],
    33. 

  33.   "remote_indices": [
    34. 

  34.     {
    35. 

  35.       "clusters": [ "my_remote_cluster" ],
    36. 

  36.       "names": [
    37. 

  37.         "leader-index"
    38. 

  38.       ],
    39. 

  39.       "privileges": [
    40. 

  40.         "cross_cluster_replication"
    41. 

  41.       ]
    42. 

  42.     }
    43. 

  43.   ]
    44. 

  44. }
    45. 

  45. ----
    46. 

  46. // TEST[skip:TODO]
    47. 

  47. 

  48. After creating the local `remote-replication` role, use the
    49. 

  49. <<security-api-put-user>> API to create a user on the local cluster cluster and
    50. 

  50. assign the `remote-replication` role. For example, the following request assigns
    51. 

  51. the `remote-replication` role to a user named `cross-cluster-user`:
    52. 

  52. 

  53. [source,console]
    54. 

  54. ----
    55. 

  55. POST /_security/user/cross-cluster-user
    56. 

  56. {
    57. 

  57.   "password" : "l0ng-r4nd0m-p@ssw0rd",
    58. 

  58.   "roles" : [ "remote-replication" ]
    59. 

  59. }
    60. 

  60. ----
    61. 

  61. // TEST[skip:TODO]
    62. 

  62. 

  63. Note that you only need to create this user on the local cluster.
    64. 

  64. 

  65. ==== Configure privileges for {ccs}
    66. 

  66. 

  67. Assuming the remote cluster is connected under the name of `my_remote_cluster`,
    68. 

  68. the following request creates a `remote-search` role on the local cluster that
    69. 

  69. allows searching the remote `target-index` index:
    70. 

  70. 

  71. [source,console]
    72. 

  72. ----
    73. 

  73. POST /_security/role/remote-search
    74. 

  74. {
    75. 

  75.   "remote_indices": [
    76. 

  76.     {
    77. 

  77.       "clusters": [ "my_remote_cluster" ],
    78. 

  78.       "names": [
    79. 

  79.         "target-index"
    80. 

  80.       ],
    81. 

  81.       "privileges": [
    82. 

  82.         "read",
    83. 

  83.         "read_cross_cluster",
    84. 

  84.         "view_index_metadata"
    85. 

  85.       ]
    86. 

  86.     }
    87. 

  87.   ]
    88. 

  88. }
    89. 

  89. 

  90. ----
    91. 

  91. // TEST[skip:TODO]
    92. 

  92. 

  93. After creating the `remote-search` role, use the <<security-api-put-user>> API
    94. 

  94. to create a user on the local cluster and assign the `remote-search` role. For
    95. 

  95. example, the following request assigns the `remote-search` role to a user named
    96. 

  96. `cross-search-user`:
    97. 

  97. 

  98. [source,console]
    99. 

  99. ----
    100. 

  100. POST /_security/user/cross-search-user
    101. 

  101. {
    102. 

  102.   "password" : "l0ng-r4nd0m-p@ssw0rd",
    103. 

  103.   "roles" : [ "remote-search" ]
    104. 

  104. }
    105. 

  105. ----
    106. 

  106. // TEST[skip:TODO]
    107. 

  107. 

  108. Note that you only need to create this user on the local cluster.
    109.